Leonid Isaev <lisaev@umail.iu.edu> on Sun, 4 Mar 2012 10:32:45 -0600:
On Sun, 4 Mar 2012 14:56:43 +0100 Christian Hesse <list@eworm.de> wrote:
Ionut Biru <ibiru@archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
On 03/04/2012 12:22 PM, Christian Hesse wrote:
I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb}
Done. Thanks! https://bugs.archlinux.org/task/28771
The strong point of the signing thingy is users' ability to verify keys using multiple independent sources, such as devs' personal websites, keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. Do I really trust in integrity of archlinux.org infrastructure? Not really, but I don't have to.
Having said that, just use https:// directly or install a browser plugin (e.g. https finder).
Sure you should check multiple independent sources. But if all of them are unencrypted by default it would be fairly easy to use netsed or similar tools on a single network node to replace all key fingerprints by faked ones. Only those users that are aware of this risk will use https://. -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org